ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-16 20:08:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

final touches for first testing

Browse Source
This commit is contained in:
van Hauser
2020-08-09 23:47:51 +02:00
parent 558a82891a
commit 9ec223c844
2 changed files with 35 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/afl-fuzz-one.c
View File

@ -458,16 +458,17 @@ u8 fuzz_one_original(afl_state_t *afl) {
} }
u32 tmp_val; u32 tmp_val = 0;
if (unlikely(afl->fsrv.taint_mode && if (unlikely(afl->fsrv.taint_mode)) {
(tmp_val = (afl->queue_cycle % 3)) != 1)) {
tmp_val = afl->queue_cycle % 2;
ret_val = 0; ret_val = 0;
if (unlikely(afl->queue_cur->cal_failed)) goto abandon_entry; if (unlikely(afl->queue_cur->cal_failed)) goto abandon_entry;
if (unlikely(!afl->queue_cur->passed_det) && !tmp_val) goto abandon_entry;
if (tmp_val == 1 && !afl->queue_cur->taint_bytes_all) goto abandon_entry; if (tmp_val == 1 && !afl->queue_cur->taint_bytes_all) goto abandon_entry;
if (tmp_val == 2 && !afl->queue_cur->taint_bytes_new) goto abandon_entry; if (tmp_val == 0 && !afl->queue_cur->taint_bytes_new) goto abandon_entry;
ret_val = 1; ret_val = 1;
@ -483,10 +484,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
switch (tmp_val) { switch (tmp_val) {
case 1: // do nothing, but cannot happen -> else case 1: // fuzz only tainted bytes
break;
case 2: // fuzz only tainted bytes
fd = open(afl->taint_input_file, O_RDONLY); fd = open(afl->taint_input_file, O_RDONLY);
temp_len = len = afl->taint_len = afl->queue_cur->taint_bytes_all; temp_len = len = afl->taint_len = afl->queue_cur->taint_bytes_all;
@ -536,9 +534,10 @@ u8 fuzz_one_original(afl_state_t *afl) {
} else { } else {
/* Map the test case into memory. */
afl->taint_needs_splode = 0; afl->taint_needs_splode = 0;
/* Map the test case into memory. */
fd = open(afl->queue_cur->fname, O_RDONLY); fd = open(afl->queue_cur->fname, O_RDONLY);
if (unlikely(fd < 0)) { if (unlikely(fd < 0)) {
@ -565,7 +564,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
single byte anyway, so it wouldn't give us any performance or memory usage single byte anyway, so it wouldn't give us any performance or memory usage
benefits. */ benefits. */
out_buf = ck_maybe_grow(BUF_PARAMS(out), len); out_buf = ck_maybe_grow(BUF_PARAMS(out), len + 4096);
afl->subseq_tmouts = 0; afl->subseq_tmouts = 0;
@ -575,7 +574,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
* CALIBRATION (only if failed earlier on) * * CALIBRATION (only if failed earlier on) *
*******************************************/ *******************************************/
if (unlikely(afl->queue_cur->cal_failed)) { if (unlikely(afl->queue_cur->cal_failed &&
(!afl->taint_needs_splode || tmp_val == 1))) {
u8 res = FSRV_RUN_TMOUT; u8 res = FSRV_RUN_TMOUT;
@ -659,9 +659,6 @@ u8 fuzz_one_original(afl_state_t *afl) {
if it has gone through deterministic testing in earlier, resumed runs if it has gone through deterministic testing in earlier, resumed runs
(passed_det). */ (passed_det). */
// custom mutators would not work, deterministic is done -> so havoc!
if (afl->taint_needs_splode) goto havoc_stage;
if (likely(afl->queue_cur->passed_det) || likely(afl->skip_deterministic) || if (likely(afl->queue_cur->passed_det) || likely(afl->skip_deterministic) ||
likely(perf_score < likely(perf_score <
(afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100 (afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100
@ -1640,7 +1637,7 @@ skip_interest:
orig_hit_cnt = new_hit_cnt; orig_hit_cnt = new_hit_cnt;
ex_tmp = ck_maybe_grow(BUF_PARAMS(ex), len + MAX_DICT_FILE); ex_tmp = ck_maybe_grow(BUF_PARAMS(ex), len + MAX_DICT_FILE + 4096);
for (i = 0; i <= (u32)len; ++i) { for (i = 0; i <= (u32)len; ++i) {
@ -1814,7 +1811,7 @@ custom_mutator_stage:
fd = open(target->fname, O_RDONLY); fd = open(target->fname, O_RDONLY);
if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", target->fname); } if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", target->fname); }
new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), target->len); new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), target->len + 4096);
ck_read(fd, new_buf, target->len, target->fname); ck_read(fd, new_buf, target->len, target->fname);
close(fd); close(fd);
@ -1989,7 +1986,7 @@ havoc_stage:
temp_len = new_len; temp_len = new_len;
if (out_buf != custom_havoc_buf) { if (out_buf != custom_havoc_buf) {
ck_maybe_grow(BUF_PARAMS(out), temp_len); ck_maybe_grow(BUF_PARAMS(out), temp_len + 4096);
memcpy(out_buf, custom_havoc_buf, temp_len); memcpy(out_buf, custom_havoc_buf, temp_len);
} }
@ -2237,8 +2234,8 @@ havoc_stage:
clone_to = rand_below(afl, temp_len); clone_to = rand_below(afl, temp_len);
new_buf = new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch),
ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len); temp_len + clone_len + 4096);
/* Head */ /* Head */
@ -2303,10 +2300,18 @@ havoc_stage:
if (copy_from != copy_to) { if (copy_from != copy_to) {
if (unlikely(afl->taint_needs_splode)) if (unlikely(afl->taint_needs_splode)) {
if (copy_to > temp_len) copy_to = rand_below(afl, temp_len);
// fprintf(stderr, "\nout_buf %p + copy_to %u, src %p + %u,
// copy_len %u -- len %u\n", out_buf , copy_to, afl->taint_src ,
// copy_from, copy_len, afl->taint_len, afl->queue_cur->len);
memmove(out_buf + copy_to, afl->taint_src + copy_from, memmove(out_buf + copy_to, afl->taint_src + copy_from,
copy_len); copy_len);
else
} else
memmove(out_buf + copy_to, out_buf + copy_from, copy_len); memmove(out_buf + copy_to, out_buf + copy_from, copy_len);
} }
@ -2395,7 +2400,8 @@ havoc_stage:
if (temp_len + extra_len >= MAX_FILE) { break; } if (temp_len + extra_len >= MAX_FILE) { break; }
out_buf = ck_maybe_grow(BUF_PARAMS(out), temp_len + extra_len); out_buf =
ck_maybe_grow(BUF_PARAMS(out), temp_len + extra_len + 4096);
/* Tail */ /* Tail */
memmove(out_buf + insert_at + extra_len, out_buf + insert_at, memmove(out_buf + insert_at + extra_len, out_buf + insert_at,
@ -2490,8 +2496,8 @@ havoc_stage:
clone_to = rand_below(afl, temp_len); clone_to = rand_below(afl, temp_len);
u8 *temp_buf = u8 *temp_buf = ck_maybe_grow(BUF_PARAMS(out_scratch),
ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len); temp_len + clone_len + 4096);
/* Head */ /* Head */
@ -2526,7 +2532,7 @@ havoc_stage:
/* out_buf might have been mangled a bit, so let's restore it to its /* out_buf might have been mangled a bit, so let's restore it to its
original size and shape. */ original size and shape. */
out_buf = ck_maybe_grow(BUF_PARAMS(out), len); out_buf = ck_maybe_grow(BUF_PARAMS(out), len + 4096);
temp_len = len; temp_len = len;
memcpy(out_buf, in_buf, len); memcpy(out_buf, in_buf, len);
@ -2653,7 +2659,7 @@ retry_splicing:
swap_bufs(BUF_PARAMS(in), BUF_PARAMS(in_scratch)); swap_bufs(BUF_PARAMS(in), BUF_PARAMS(in_scratch));
in_buf = new_buf; in_buf = new_buf;
out_buf = ck_maybe_grow(BUF_PARAMS(out), len); out_buf = ck_maybe_grow(BUF_PARAMS(out), len + 4096);
memcpy(out_buf, in_buf, len); memcpy(out_buf, in_buf, len);
goto custom_mutator_stage; goto custom_mutator_stage;

4
src/afl-fuzz-run.c
View File

@ -349,7 +349,9 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
} }
if (q->exec_cksum) { if (unlikely(afl->fsrv.taint_mode))
q->exec_cksum = 0;
else if (q->exec_cksum) {
memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size);
hnb = has_new_bits(afl, afl->virgin_bits); hnb = has_new_bits(afl, afl->virgin_bits);